A Framework for Web Security TaaS Service in Cloud Environment

14 downloads 177556 Views 324KB Size Report
In cloud testing, Testing-as-a-Service (TaaS) is a new model to effectively provide ... tools to test web applications for common security problems. These tools ...
2014 IEEE 8th International Symposium on Service Oriented System Engineering

Test as a Service: A framework for Web security TaaS service in cloud environment Yuan-Hsin Tung, Chen-Chiu Lin, Hwai-Ling Shan Telecommunication Lab., Chunghwa Telecom Co., Ltd., Taiwan,ROC [email protected], [email protected], [email protected]

infrastructure are well suited to provide testing services. In cloud testing, Testing-as-a-Service (TaaS)[2][15][19][27][29] is a new model to provide testing capabilities to end users effectively. There are many TaaS studies and commercial solutions. An example is Oracle TaaS solution[23], which is a cloud-based platform for delivering automated application testing services. It is a self-service solution designed for private clouds that orchestrates the testing process end-toend by automating the provisioning of test labs including application under test and test tools, executes load and/or functional test scripts against the application, provides rich application monitoring and diagnostics data for analysis, and also has sophisticated chargeback facility for metering and charging the usage of the testing cloud by end-users. Oracle TaaS makes it possible to significantly reduce testing time and costs without compromising quality and enables organizations to be more agile in delivering critical business applications to their users. Another example is HP Economic TaaS model[11], which provides customers an out-put based, per-unit application testing for quality, performance and security. HP software testing service delivery model gives customers lower application testing costs, agility to manage change and respond to business demand, as well as reduced risk of downtime that can negatively impact business. Software applications are constantly exposed to various threats and attacks, such as cross-site scripting, SQL injection, directory traversal, insecure configurations, and remote command execution vulnerabilities. Numerous tools, including commercial ones and open source software, are therefore developed for detecting web application vulnerabilities. Web vulnerability scanners are automated tools to test web applications for common security problems. These tools crawl a web application and locate application layer vulnerabilities and weaknesses, either by manipulating HTTP messages or by inspecting them for suspicious attributes. The security testing is suitable to be applied in cloud computing and TaaS service. In [16], Leo et al. propose definition, process, and infrastructure of TaaS. However, there are several aspects that were not taken into consideration for security testing in TaaS. To enhance high reliability, flexibility and scalability of the TaaS system[8][13][14][15][17][21][29], in this paper, we propose a framework of TaaS for security testing. The framework of our security TaaS consists of eight components, user interface component, request handler component, test scheduler component, test assignment component, test case management component, security scanner, tracing & monitoring, and price & billing. Based on this framework, we implement our own security TaaS application. The

Abstract—As its name suggests, cloud testing is a form of software testing which uses cloud infrastructure. Its effective unlimited storage, quick availability of the infrastructure with scalability, flexibility and availability of distributed testing environment translate to reducing the execution time of testing of large applications and hence lead to cost-effective solutions. In cloud testing, Testing-as-a-Service (TaaS) is a new model to effectively provide testing capabilities and on-demand testing to end users. There are many studies and solutions to support TaaS service. And security testing is the most suitable form for TaaS service. To leverage the features of TaaS, we propose a framework of TaaS for security testing. We implement the prototype system, Security TaaS (abbrev. S-TaaS) based on our proposed framework. The experiments are conducted to evaluate the performance of our framework and prototype system. The experiment results indicate that our prototype system can provide quality and stable service. Keywords-TaaS: Test as a Service, cloud computing, web vulnerability, security test, vulnerability detection

I.

INTRODUCTION

Cloud computing[24] is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort. In cloud computing [19][26], software, platform, and infrastructure are provided as utility services available upon customer requests. Today, leading players, such as Amazon, Google, IBM, Microsoft, and VMware offer their cloud infrastructures for service. Cloud computing supports an anything as a service (XaaS) model. Cloud computing has three main service models: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). The system architecture of cloud environment allows service to work properly with efficient performance. Software testing processes are generally labor-intensive and often involve substantial collaboration among testers, developers, and even users. And software testing has been one of the best practice areas for migrating to cloud environment. Since cloud testing uses cloud infrastructure for software testing[2], its effective unlimited storage, quick availability of the infrastructure with scalability, flexibility and availability of distributed testing environment would reduce the execution time of testing of large applications and lead to cost-effective solutions. In the areas of cloud computing, the virtualization technologies and hardware/software

978-1-4799-3616-8/14 $31.00 © 2014 IEEE DOI 10.1109/SOSE.2014.36

212

prototype system is called Security TaaS (abbrev. S-TaaS). To leverage features of cloud computing, we apply virtualization technique to our prototype system construction. In test scheduler component, we propose three algorithms to allocate security scanners to incoming tasks. The experiment has been conducted to evaluate the performance of our framework and prototype system. In experiment, we construct S-TaaS with six security scanners on virtual machines. Our S-TaaS provides TaaS service for a telecom company during the period of 2013/03/12~2013/10/22 and has performed security tests over 456 times. The experimental results indicate that our prototype system provides quality and stable service. II.

Cloud testing is one kind of SaaS (Software as a Service), for which end users do not need to invest any hardware, software or consultancy. Cloud testing service fulfills all users’ need for testing, allowing users to focus on core business activities. Test as a Service (TaaS) is a new model in cloud testing. In [16], STaaS is a model of software testing used to test an application as a service provided to customers across the Internet. In [15], Gao et al. proposed their definition of TaaS which they refer to as providing static/dynamic on-demand testing services in/on/over clouds for the third-parties at any time and all time (365/7/24). In [6], Testing as a Service (TaaS) is defined as an outsourcing model in which testing activities are performed by a service provider rather than by the employees. TaaS provider proposed on-demand testing service to meet the demand of organization’s business activities. Adopting TaaS can also reduce the costs of testing, through less costly, on-demand pricing. Various task scheduling and dispatching algorithms are analyzed to improve the utilization of computer resources and the scalability of the platform by increasing the test task load are evaluated. In this paper they highlight issues related to security. In [27], authors conclude that TaaS has two key aspects: (1) a service to developers, and (2) a service to end users. They discuss software testing as a service from the software quality assurance perspectives. In this paper, we apply features of TaaS and propose the framework of security TaaS. The security TaaS is suitable for on-demand testing. And the framework is designed to support security TaaS.

RELATED WORK

A. Detection of Vulnerabilities by Security Scanner Security scanners identify defects and weaknesses by checking against a collection of signatures of known vulnerabilities. These signatures are updated regularly as new vulnerabilities are discovered. In the search for vulnerabilities like XSS and SQL injection, the scanners execute lots of pattern variations adapted to the specific test in order to discover the vulnerability. There are two main approaches to testing web applications for vulnerabilities: “white box” and “black box”. The “white box” approach consists of the analysis of the source code of the web application. Static code analysis is a type of white-box analysis[5][7][22]. This can be done manually or by using code analysis tools like FORTIFY [10], Pixy [25], CodeSecure[4], etc. To detect vulnerabilities in the application, such as SQL injection and cross-site scripting, the static analyzer tool uses the web application code to follow all the possible paths and the changes it may go through due to the manipulation process of the SQL query text and finally parses the result. The black-box vulnerability scanner does not know the internal design of the web application and it uses fuzzy techniques over the web HTTP requests. It simulates numerous scenarios such as hackers’ intentional attacks or general users’ inadvertent attacks and provides an automatic way to search for vulnerabilities, avoiding the repetitive and tedious task of doing hundreds or even thousands of tests by hand for each vulnerability type. There are many web vulnerability scanners for black-box testing such as Acunetix Web Vulnerability Scanner [1], HP WebInspect [9], IBM AppScan [12], Paros[20]. The testing tools support cloud testing very well.

III.

FRAMEWORK OF SECURITY TEST IN TAAS

In this paper, we propose the framework of security TaaS and describe our implementation of the prototype system that provides service in cloud environment based on our proposed framework. In this section, we depict the compositions of our framework, activities of components, and algorithms of testing scheduler. A. Framework for security Test-as-a-Service As shown in Fig.1, there are eight main components in our proposed framework. Since there are large amount of requests for security scanning services in cloud environment, a security TaaS system must take into account of multirequests and multi-host. The host structure must be distributed and adopt parallel processing method to scan multiple targets simultaneously. In our implementation, we use server farm and virtualization technique to set up scaling testing environment. Our framework contains eight main components: user interface component, request handler component, test scheduler component, test controller component, test case management component, security scanner, tracing & monitoring component, and price & billing component. We illustrate our proposed framework below.

B. Cloud computing and cloud testing Cloud computing [3] relies on sharing of resources to achieve coherence and economies of scale similar to a utility over a network. At the foundation of cloud computing is the broader concept of converged infrastructure and shared services. There are three main service models in cloud computing definition[24]: Software as a service (SaaS), Platform as a service (PaaS), and Infrastructure as a Service (IaaS); and four deployment models: Private clouds, Community clouds, Public clouds and hybrid clouds.

213

x

Figure 1. Architecture of framework of Security TaaS

x

x

x

x

(1)User Interface: The test user interface is the first layer of TaaS system. Users can directly access TaaS system through web or mobile apps. Users must log in and get authorization to use the TaaS system. User can manipulate the TaaS system by authorized system functions in our proposed system, such as add new task, query, add new script, vulnerabilities statistics, add scheduling task, query scheduling task, delete task, and so on. (2)Request Handler: The request handler is the second layer of TaaS system. Request handler can receive commands from upper layer and dispatch the commands to corresponding components, such as test scheduler, test controller, and test case management. (3)Test Scheduler: The main function of test scheduler is to schedule test scan, pre-allocate testing resources, and generate test plan. In TaaS system, there are multiple request tasks and several scanners. The security scanner is used to provide security testing service. The TaaS system must schedule request tasks and allocate testing resources, security scanners, to satisfy user’s requests. Test scheduler determines an efficient testing plan to optimize the scanning performance. For each corresponding situation, in our security TaaS system we propose three main scheduling algorithms, 1. round robin, 2. minimal cost first, and 3. maximum cost first. Based on the modularization, our framework can extend the scheduling algorithm easily. (4)Test Controller: The main function of test controller component is to receive the test plan from test scheduler and perform the test by organize the security scanners and perform security scans. There are many operation functions to manage the scanners, such as start scan, pause scan, delete scan, query scanning list. At the same time, test controller must check the status of security scanners to manage them

x

x

x

and decide which test case in test case base should be used. In certain contingent events, the test controller must stop the running scanner and delete the arrangement. In general, the test controller controls several security scanners of different size, capacity, or functionality. Since it is essential to be able to manage the resources to meet end-users’ requests, the system is designed so that we can set parameters of security scanner with common interface, such web service, SOA, and so on. (5)Security Test Case Management: In software testing, test case is an essential element. In order to fully test a targeted application, test cases are necessary for various security threats and weakness of software application. In security TaaS, the test case is critical for detecting security issues of application. A test case is usually a set of steps, scripts, or processes to test legitimate behavior/functionality, features of an application. We store all test cases and testing results in test cases database. In security testing, the testing results are indispensable for engineers to fix security vulnerabilities. (6)Tracing & Monitoring: In security TaaS, it is important to provide consistent service for end users. To enhance the reliability, flexibility and scalability of the information system, we propose the test monitor to track and monitor the status of TaaS system. The test monitor module contains two parts: infrastructure monitoring and service monitoring. The infrastructure monitoring is used to monitor physical devices, while the service monitoring is used to measure the status and operation of a running service on TaaS. The service provider defines the service level agreement (SLA) to measure the service quality. And the monitoring results are fed back to price and billing module to calculate the bill. (7)Price & Billing: The objective of price & billing component is to produce billing information. The monitoring module obtains resource usage information. The billing uses the monitoring records and produces billing information for the service provider, considering the different resource prices and particular billing rules, e.g. discounts per consumption volume, different size charge of web site, different price for different security protocol, different prices depending on the daily hour, etc. (8)Security Scanner: The main function of security scanner is security scanning. Security scanners identify defects and weaknesses, such as XSS and SQL injection. There are many web vulnerability scanners for black-box testing such as Acunetix Web Vulnerability Scanner [1], HP WebInspect [9], IBM AppScan [12].

B. User story of Security TaaS System In software development and product management, a user story[28] is one or more sentences in the everyday or business language of the end user or user of a system that

214

captures what a user does or needs to do as part of his or her job function. User stories are used as the basis for defining the functions a software system must provide, and to facilitate requirements management. User stories are a quick way of handling customer requirements without having to create formalized requirement documents and without performing administrative tasks related to maintaining them. The intention of the user story is to be able to respond faster and with less overhead to rapidly changing real-world requirements. In this section, we adopt user story diagram to interpret the scenario of internal operations of security TaaS system and interactions between users and system of the proposed framework. In Fig.2, a user story scenario is proposed. User accesses the TaaS system via User Interface and there are several functions in it. Then, the user's request is forwarded to the corresponding component by “Request Handler”. The “Test Scheduler” generates “Security Test Plan” by referring test cases in “Test Case Management” and proposed algorithm to allocate resource for the call. Finally, the “Test Controller” engages security scanners according to test plan to test controller and performs the testing for users.

scanning test plan. In heuristic rule 1, round robin heuristic (abbrev. RR), tasks are assigned to each scanner in equal portions and in circular order. In heuristic rule 2, minimum cost first heuristic (abbrev. MiCF), the task with minimum execution cost is assigned to scanner first. In heuristic rule 3, maximum cost first heuristic (abbrev. MaCF), the task with maximum execution cost is assigned to scanner first. According to various situations, the corresponding heuristic rule can be applied to arrange the scanning test plan. Roundrobin scheduling[18] is simple, easy to implement, and starvation-free. In Fig.3, the example with round robin heuristic is illustrated to generate scanning test plan. There are seven scanning tasks with different execution costs. In Table 1, the example of scanning test plan, STP, is presented. Test scheduler generates scanning test plan according to RR scheduling algorithm. (Equation 2) Scanning Test Plan: STPij=[STaskk] where STPij is a matix, j is number of execution sequence, i is number of security scanner} Round Robin Heuristic (Equation 3.1) Scheduling heuristic rule 1: assign STask to security scanner from 1 to k. Minimum Cost First Heuristic (Equation 3.2) Scheduling heuristic rule 2: MinӢSTask.Scan_Time. Maximum Cost First Heuristic (Equation 3.3) Scheduling heuristic rule 3: MaxӢSTask.Scan_Time.

Figure 2. A user story scenario of TaaS framework Figure 3. Test scheduler assign tasks to scanner with heuristic rule 1

Two important features of cloud computing are scalable and flexible. We can extend the scale of security TaaS system easily based upon cloud computing architecture. In our proposed framework, the security scanner can be extended by applying virtualization technique. The dynamic parallel architecture is imperative to support multiple security scanners to conduct scanning tasks simultaneously.

C. Algorithms of TaaS Test Scheduler The main purpose of test scheduler component is to generate the scanning test plan for the TaaS system. The scanning test plan is a collection of scanning tasks, STask. In equation 1, the scanning task is a vector that contains 8 features, scan ip, scan type, scan mode, scan profile, scanner, priority, scan time, and others. The features are used to describe the scan task and set testing environment of TaaS.

TABLE I.

Scanning Task: STask= (Equation 1)

EXAMPLE OF SCANNING TEST PLAN, STPIJ=[STASKK]

STPij Scanner1 Scanner2 Scanner3

To generate the scanning test plan, we propose three scheduling heuristic rules to assign scanning task to the scanners. Test scheduler can apply heuristic rule to generate

215

1st STask1 STask2 STask3

2nd STask4 STask5 STask6

3rd  STask7 

…



IV.

IMPLEMENTATION AND EXPERIMENTS

A. System Implementation This study applies the proposed framework of security TaaS system to implement the prototype system, called Security TaaS (abbrev. S-TaaS). The S-TaaS system is a Web-based application that was developed using ASP.NET and MS-SQL Server. The S-TaaS also contains log and report system to collect bug reports for security scanning. Fig.4 shows that the prototype system contains four main parts and four databases. The four parts are UI, core, databases, and security scanner VMs. The core contains four main functions: test scheduler, test controller, test case management, and test monitor. Four databases are constructed to store information in S-TaaS. As shown in Fig. 5, the Testing User Interface provides interactive interfaces to scanners. Fig.6 shows that the user interface allows users to add new scanning tasks. And we propose an advanced scan setting for complex scanning test. The S-TaaS records scanning reports and stores the information in report database. The Test Controller module assigns the test tasks to scanners according to the test plan. To evaluate the performance of proposed prototype system, we put our system online for various experiments.

TestCase DB

Figure 6. Advanced scan for security script of S-TaaS

S-TaaS provides on-line security testing services to detect web application vulnerabilities for end users. The services are constructed by virtual machines. End users can log in to the system via LDAP authentication and simply enter the IP or web address (URL) of scan web site. End users can set scanning parameters easily via the user interface and the system will automatically send the test reports to end user’s e-mail account. From Fig.5, we see that the S-TaaS is easy to use and end users can finish the testing in only a few steps. B. Experiment and Results An experiment was designed for evaluating the capabilities of the proposed framework of Security TaaS. As shown in Table 2, using S-TaaS, 456 experimental web applications are tested by S-TaaS, with 21141 critical vulnerabilities being detected. As shown in Table 3, we organize the testing results according to vulnerability. In our observation, the most common vulnerabilities are cross-site scripting (reflected and stored), unicode transformation issues, and blind SQL injection. S-TaaS can summarize the statistics results easily based on users’ scanning reports.

UserAccess LogDB

LDAP Authentication& Authorization

TABLE II. SCANNING STATISTICS IN PERIODS OF 2013/03/12~2013/10/22 Item System Availability System Running Period Total Scanning Time Total Scanning System Total Critical Vulnerabilities Total Medium Vulnerabilities Total Low Vulnerabilities

Figure 4. Architecture of prototype system, Security TaaS(S-TaaS)

Value 100% 2013/03/12 ~ 2013/10/22 50995 Mins 456 21141 13068 2846

TABLE III. MOST COMMON VULNERABILITIES, TOP 10 no 1 2 3 4 5 6 7 8 9 10

Figure 5. User interface of S-TaaS

216

Vulnerability Cross Site Scripting(Verified) Unicode transformation issues Blind SQL Injection SQL injection Cross Site Scripting Microsoft IIS tilde directory enumeration SQL injection (verified) jQuery Cross Site Scripting PHP allow_url_fopen enabled Weak password

Quantity 841 828 263 96 87 38 28 15 14 13

V.

[12] “IBM AppScan”, http://www03.ibm.com/software/products/us/en/appscan, [Last accessed 1 Nov., 2013] [13] I.-H. Chung, G. Cong, D. Klepacki, S. Sbaraglia, S. Seelam, H.-F. Wen, “A Framework for Automated Performance Bottleneck Detection,” Parallel and Distributed Processing, IEEE International Symposium on(IPDPS 2008), pp. 1-7, 14-18 April 2008. [14] I. Rish, M. Brodie, S. Ma, N. Odintsova, A. Beygelzimer, G. Grabarnik, and K. Hernandez, “Adaptive diagnosis in distributed systems,” IEEE Trans. on Neural Networks, Vol. 16, No. 5, Sep. 2005. [15] J. Gao, X. Bai, and W. T. Tsai, “Cloud-Testing: Issues, Challenges, Needs and Practice,” Software Engineering: An International Journal (SEJI), Vol. 1, No. 1, pp. 9–23, September 2011. [16] L. van der Aalst, “Software testing as a service (STaaS)”, http://www.tmap.net/sites/tmap.net/files/attachments/Paper_STaaS.pd f[Last accessed 1 Nov., 2013] [17] L. Cherkasova, W. Tang, and S. Singhal, “An SLA-Oriented Capacity Planning Tool for Streaming Media Services,” International Conference on Dependable Systems and Networks (DSN’04), Florence, Italy, 28 June – 1 July 2004. [18] Lenzini, L.; Mingozzi, E. ; Steay, G., “Tradeoffs between low complexity, low latency, and fairness with deficit round-robin schedulers”, IEEE/ACM Transactions on Networking, vol. 12, pp. 681-693, 2004 [19] L. M. Riungu, O. Taipale, and K. Smolander, “Research Issues for Software Testing in the Cloud,” Third International Conference on Software Testing, Verification, and Validation Workshops (ICSTW 2010). [20] MileScan ParosPro, [Online]. Available: http://www.milescan.com/hk/. [21] M. Brodie, I. Rish, and S. Ma, “Optimizing probe selection for fault localization,” Distributed Syst. Oper. Manage., pp. 1147–1157, 2001. [22] N. Jovanovic, C. Krugel, and E. Kirda, “Pixy: A static analysis tool for detecting web application vulnerabilities (short paper),” in IEEE Symposium on Security and Privacy, 2006, pp. 258–263. [23] “Oracle Test-as-a-Service”, http://www.oracle.com/technetwork/oem/cloud-mgmt/testing-as-aservice--1905801.html [Last accessed 1 May, 2013] [24] P. Mell and T. Grance, “The NIST Definition of Cloud Computing,” Technical report, National Institute of Standards and Technology, September 2011. [25] “PIXY”, https://security.web.cern.ch/security/recommendations/en/codetools/p ixy.shtml, [Last accessed 1 May, 2013] [26] R. Buyya, C. S. Yeo, S. Venugopal, J. Broberg, and I. Brandic, “Cloud computing and emerging IT Platforms” Vision, hype, and reality for delivering computing as the 5th utility,” Future Generation Computer System 25 (2009), pp. 599-616. [27] Arunkumar, K. V., and E. Samlinson. "Testing As A Service (Taas)– An Enhanced Security Framework for Taas In Cloud Environment." International Journal Of Internet Computing 1. [28] “User Story”, http://en.wikipedia.org/wiki/User_story,[Last accessed 1 May, 2013] [29] X. Bai, M. Li, B. Chen, W.-T. Tsai, and J. Gao, “Cloud testing tools,” International Symposium on Service Oriented System Engineering(SOSE), pp. 1-12, 2011.

CONCLUSION

While TaaS is becoming a hot research topic in cloud testing and cloud computing, we note that a comprehensive framework of TaaS is important in building the TaaS service. Furthermore, the relationship between cloud testing and traditional testing is more complex than previously known. In this paper, we proposed a TaaS framework to assist service providers to build up the TaaS service. And we evaluate the performance of proposed TaaS framework which we applied to our prototype system. Two experiments are performed with our prototype TaaS system. The experimental results show that our framework can is efficient for a TaaS service. In the near future, we will continue to add features to our proposed framework for the purpose of extending to other services, such as performance testing, functional testing, mobile app testing, and so on. Meanwhile we will also develop new evaluation techniques to shorten the time needed for scheduling algorithm. In the future studies we will also explore the effect of integrating multiple scanning scanners by several tools, which may further enhance the performance of testing. [1]

“Acunetix Ltd, Web Vulnerability Scanner”, http://www.acunetix.com/vulnerability-scanner/[Last accessed 1 May, 2013] [2] “Cloud testing”, http://en.wikipedia.org/wiki/Cloud_testing [Last accessed 1 May, 2013] [3] “Cloud computing”, http://en.wikipedia.org/wiki/Cloud_computing [Last accessed 1 May, 2013] [4] “CodeSecure”, http://www.armorize.com/codesecure/, [Last accessed 1 May, 2013] [5] D. Stuttard and M. Pinto, The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws. Wiley, 2007. [6] Definition: Testing as a Service (TaaS), “http://searchcloudapplications.techtarget.com/definition/Testing-asa-Service-TaaS”, [Last accessed 1 May, 2013] [7] F. Yu, M. Alkhalaf, and T. Bultan, “Stranger: An automata-based string analysis tool for php,” in TACAS, 2010, pp. 154–157. [8] G. V. Kondraske, “Performance Theory: Implications for Performance Measurement, Task Analysis, and Performance Prediction,” Annual EMBS International Conference, Chicago IL., 23-28 July,2000. [9] “HP WebInspect”, https://download.hpsmartupdate.com/webinspect/, [Last accessed 1 May, 2013] [10] “HP FORTIFY”, http://www8.hp.com/us/en/softwaresolutions/software.html?compURI=1337262#.UYKTGaLAdmx [Last accessed 1 May, 2013] [11] “HP Test-as-a-Service”, http://www8.hp.com/us/en/softwaresolutions/software.html?compURI=1173731[Last accessed 1 May, 2013]

217